CH A P T E R

36

Configuring LDAP Servers for AAA

This chapter describes how to configure LDAP servers used in AAA and includes the following sections:

Information About LDAP and the ASA, page 36-1

Licensing Requirements for LDAP Servers, page 36-4

Guidelines and Limitations, page 36-4

Configuring LDAP Servers, page 36-5

Monitoring LDAP Servers, page 36-11

Feature History for LDAP Servers, page 36-12

Information About LDAP and the ASA

The ASA is compatible with the most LDAPv3 directory servers, including:

Sun Microsystems JAVA System Directory Server, now part of Oracle Directory Server Enterprise
Edition, and formerly named the Sun ONE Directory Server

Microsoft Active Directory

Novell

OpenLDAP

By default, the ASA autodetects whether it is connected to Microsoft Active Directory, Sun LDAP,
Novell, OpenLDAP, or a generic LDAPv3 directory server. However, if autodetection fails to determine
the LDAP server type, you can manually configure it.

LDAP Server Guidelines

When configuring the LDAP server, note the following guidelines:

The DN configured on the ASA to access a Sun directory server must be able to access the default
password policy on that server. We recommend using the directory administrator, or a user with
directory administrator privileges, as the DN. Alternatively, you can place an ACL on the default
password policy.

You must configure LDAP over SSL to enable password management with Microsoft Active
Directory and Sun servers.

Cisco ASA Series General Operations CLI Configuration Guide

36-1

Chapter 36

Configuring LDAP Servers for AAA

Information About LDAP and the ASA

The ASA does not support password management with Novell, OpenLDAP, and other LDAPv3
directory servers.

The VPN 3000 concentrator and the ASA/PIX 7.0 software required a Cisco LDAP schema for
authorization operations. Beginning with Version 7.1.x, the ASA performs authentication and
authorization using the native LDAP schema, and the Cisco schema is no longer needed.

How Authentication Works with LDAP

During authentication, the ASA acts as a client proxy to the LDAP server for the user, and authenticates
to the LDAP server in either plain text or by using the SASL protocol. By default, the ASA passes
authentication parameters, usually a username and password, to the LDAP server in plain text.
The ASA supports the following SASL mechanisms, listed in order of increasing strength:

Digest-MD5The ASA responds to the LDAP server with an MD5 value computed from the
username and password.

KerberosThe ASA responds to the LDAP server by sending the username and realm using the
GSSAPI Kerberos mechanism.

The ASA and LDAP server supports any combination of these SASL mechanisms. If you configure
multiple mechanisms, the ASA retrieves the list of SASL mechanisms that are configured on the server,
and sets the authentication mechanism to the strongest one configured on both the ASA and the server.
For example, if both the LDAP server and the ASA support both mechanisms, the ASA selects Kerberos,
the stronger of the two.
When user LDAP authentication has succeeded, the LDAP server returns the attributes for the
authenticated user. For VPN authentication, these attributes generally include authorization data that is
applied to the VPN session. In this case, using LDAP accomplishes authentication and authorization in
a single step.

Note

For more information about the LDAP protocol, see RFCs 1777, 2251, and 2849.

About the LDAP Hierarchy

Your LDAP configuration should reflect the logical hierarchy of your organization. For example,
suppose an employee at your company, Example Corporation, is named Employee1. Employee1 works
in the Engineering group. Your LDAP hierarchy could have one or many levels. You might decide to set
up a single-level hierarchy in which Employee1 is considered a member of Example Corporation. Or you
could set up a multi-level hierarchy in which Employee1 is considered to be a member of the department
Engineering, which is a member of an organizational unit called People, which is itself a member of
Example Corporation. See Figure 36-1 for an example of a multi-level hierarchy.
A multi-level hierarchy has more detail, but searches return results more quickly in a single-level
hierarchy.

Cisco ASA Series General Operations CLI Configuration Guide

36-2

Chapter 36

Configuring LDAP Servers for AAA

Information About LDAP and the ASA

Figure 36-1

A Multi-Level LDAP Hierarchy

Enterprise LDAP Hierarchy

dc=ExampleCorp, dc=com

Marketing

cn=User2

cn=User3

HR

Groups/Departments

cn=User4 Users

330368

cn=User1

OU=Organization Units

Equipment

People

Engineering

Root/Top

Searching the LDAP Hierarchy

The ASA lets you tailor the search within the LDAP hierarchy. You configure the following three fields
on the ASA to define where in the LDAP hierarchy that your search begins, the extent, and the type of
information you are looking for. Together, these fields limit the search of the hierarchy to only the part
that includes the user permissions.

LDAP Base DN defines where in the LDAP hierarchy that the server should begin searching for user
information when it receives an authorization request from the ASA.

Search Scope defines the extent of the search in the LDAP hierarchy. The search proceeds this many
levels in the hierarchy below the LDAP Base DN. You can choose to have the server search only the
level immediately below it, or it can search the entire subtree. A single level search is quicker, but
a subtree search is more extensive.

Naming Attribute(s) defines the RDN that uniquely identifies an entry in the LDAP server. Common
naming attributes can include cn (Common Name), sAMAccountName, and userPrincipalName.

Figure 36-1 shows a sample LDAP hierarchy for Example Corporation. Given this hierarchy, you could
define your search in different ways. Table 36-1 shows two sample search configurations.
In the first example configuration, when Employee1 establishes the IPsec tunnel with LDAP
authorization required, the ASA sends a search request to the LDAP server, indicating it should search
for Employee1 in the Engineering group. This search is quick.
In the second example configuration, the ASA sends a search request indicating that the server should
search for Employee1 within Example Corporation. This search takes longer.
Table 36-1

Example Search Configurations

No. LDAP Base DN

Search
Scope

Naming
Attribute

Result

group= Engineering,ou=People,dc=ExampleCorporation, dc=com One Level

cn=Employee1 Quicker search

dc=ExampleCorporation,dc=com

cn=Employee1 Longer search

Subtree

Cisco ASA Series General Operations CLI Configuration Guide

36-3

Chapter 36

Configuring LDAP Servers for AAA

Information About LDAP and the ASA

About Binding to an LDAP Server

The ASA uses the login DN and login password to establish trust (bind) with an LDAP server. When
performing a Microsoft Active Directory read-only operation (such as authentication, authorization, or
group search), the ASA can bind using a login DN with fewer privileges. For example, the login DN can
be a user whose AD Member Of designation is part of Domain Users. For VPN password management
operations, the login DN needs elevated privileges, and must be part of the Account Operators AD group.
The following is an example of a login DN:
cn=Binduser1,ou=Admins,ou=Users,dc=company_A,dc=com

The ASA supports the following authentication methods:

Simple LDAP authentication with an unencrypted password on port 389

Secure LDAP (LDAP-S) on port 636

Simple Authentication and Security Layer (SASL) MD5

SASL Kerberos

The ASA does not support anonymous authentication.

Note

As an LDAP client, the ASA does not support the transmission of anonymous binds or requests.

Licensing Requirements for LDAP Servers

Model

License Requirement

All models

Base License.

Guidelines and Limitations

This section includes the guidelines and limitations for this feature.
Context Mode Guidelines

Supported in single and multiple context mode.

Firewall Mode Guidelines

Supported in routed and transparent firewall mode.

IPv6 Guidelines

Supports IPv6.

Cisco ASA Series General Operations CLI Configuration Guide

36-4

Chapter 36

Configuring LDAP Servers for AAA

Configuring LDAP Servers

Configuring LDAP Servers

This section includes the following topics:

Task Flow for Configuring LDAP Servers, page 36-5

Configuring LDAP Attribute Maps, page 36-5

Configuring LDAP Server Groups, page 36-7Configuring Authorization with LDAP for VPN,
page 36-10

Task Flow for Configuring LDAP Servers

Step 1

Add an LDAP server group. See the Configuring LDAP Server Groups section on page 36-7.

Step 2

(Optional) Configure authorization from an LDAP server that is separate and distinct from the
authentication mechanism. See the Configuring Authorization with LDAP for VPN section on
page 36-10.

Step 3

Configure LDAP attribute maps. See the Configuring LDAP Attribute Maps section on page 36-5.
You must add an attribute map before adding an LDAP server to an LDAP server group.

Configuring LDAP Attribute Maps

The ASA can use an LDAP directory for authenticating users for:

VPN remote access users

firewall network access/cut-through-proxy sessions

setting policy permissions (also called authorization attributes), such as ACLs, bookmark lists, DNS
or WINS settings, and session timers.

setting the key attributes in a local group policy

The ASA uses LDAP attribute maps to translate native LDAP user attributes to Cisco ASA attributes.
You can bind these attribute maps to LDAP servers or remove them. You can also show or clear attribute
maps.

Guidelines
The LDAP attribute map does not support multi-valued attributes. For example, if a user is a member of
several AD groups, and the LDAP attribute map matches more than one group, the value chosen is based
on the alphabetization of the matched entries.
To use the attribute mapping features correctly, you need to understand LDAP attribute names and
values, as well as the user-defined attribute names and values.
The names of frequently mapped LDAP attributes and the type of user-defined attributes that they would
commonly be mapped to include the following:

IETF-Radius-Class (Group_Policy in ASA version 8.2 and later)Sets the group policy based on
the directory department or user group (for example, Microsoft Active Directory memberOf)
attribute value. The group policy attribute replaced the IETF-Radius-Class attribute with ASDM
version 6.2/ASA version 8.2 or later.

Cisco ASA Series General Operations CLI Configuration Guide

36-5

Chapter 36

Configuring LDAP Servers for AAA

Configuring LDAP Servers

IETF-Radius-Filter-IdApplies an access control list or ACL to VPN clients, IPsec, and SSL.

IETF-Radius-Framed-IP-AddressAssigns a static IP address assigned to a VPN remote access

client, IPsec, and SSL.

Banner1Displays a text banner when the VPN remote access user logs in.

Tunneling-ProtocolsAllows or denies the VPN remote access session based on the access type.

Note

A single LDAP attribute map may contain one or many attributes. You can only map one LDAP
attribute from a specific LDAP server.

To map LDAP features, perform the following steps:

Detailed Steps

Step 1

Command

Purpose

ldap attribute-map map-name

Creates an unpopulated LDAP attribute map table.

Example:
ciscoasa(config)# ldap attribute-map
att_map_1

Step 2

map-name user-attribute-name
Cisco-attribute-name

Maps the user-defined attribute name department to the Cisco

attribute.

Example:
ciscoasa(config-ldap-attribute-map)#
map-name department IETF-Radius-Class

Step 3

map-value user-attribute-name
Cisco-attribute-name

Maps the user-defined map value department to the user-defined

attribute value and the Cisco attribute value.

Example:
ciscoasa(config-ldap-attribute-map)#
map-value department Engineering group1

Step 4

aaa-server server_group [interface_name]

host server_ip

Identifies the server and the AAA server group to which it

belongs.

Example:
ciscoasa(config)# aaa-server ldap_dir_1
host 10.1.1.4

Step 5

ldap-attribute-map map-name

Binds the attribute map to the LDAP server.

Example:
ciscoasa(config-aaa-server-host)#
ldap-attribute-map att_map_1

Cisco ASA Series General Operations CLI Configuration Guide

36-6

Chapter 36

Configuring LDAP Servers for AAA

Configuring LDAP Servers

Examples
The following example shows how to limit management sessions to the ASA based on an LDAP attribute
called accessType. The accessType attribute may have one of these values:

VPN

admin

helpdesk

The following example shows how each value is mapped to one of the valid IETF-Radius-Service-Type
attributes that the ASA supports: remote-access (Service-Type 5) Outbound, admin (Service-Type 6)
Administrative, and nas-prompt (Service-Type 7) NAS Prompt.
ciscoasa(config)# ldap attribute-map
ciscoasa(config-ldap-attribute-map)#
ciscoasa(config-ldap-attribute-map)#
ciscoasa(config-ldap-attribute-map)#
ciscoasa(config-ldap-attribute-map)#

MGMT
map-name accessType IETF-Radius-Service-Type
map-value accessType VPN 5
map-value accessType admin 6
map-value accessType helpdesk 7

ciscoasa(config-ldap-attribute-map)# aaa-server LDAP protocol ldap

ciscoasa(config-aaa-server-group)# aaa-server LDAP (inside) host 10.1.254.91
ciscoasa(config-aaa-server-host)# ldap-base-dn CN=Users,DC=cisco,DC=local
ciscoasa(config-aaa-server-host)# ldap-scope subtree
ciscoasa(config-aaa-server-host)# ldap-login-password test
ciscoasa(config-aaa-server-host)# ldap-login-dn
CN=Administrator,CN=Users,DC=cisco,DC=local
ciscoasa(config-aaa-server-host)# server-type auto-detect
ciscoasa(config-aaa-server-host)# ldap-attribute-map MGMT

The following example shows how to display the complete list of Cisco LDAP attribute names:
ciscoasa(config)# ldap attribute-map att_map_1
ciscoasa(config-ldap-attribute-map)# map-name att_map_1?
ldap mode commands/options:
cisco-attribute-names:
Access-Hours
Allow-Network-Extension-Mode
Auth-Service-Type
Authenticated-User-Idle-Timeout
Authorization-Required
Authorization-Type
:
:
X509-Cert-Data
ciscoasa(config-ldap-attribute-map)#

Configuring LDAP Server Groups

To use an external LDAP server for authentication, authorization, and/or accounting, you must first
create at least one LDAP server group, and add one or more servers to each group. You identify LDAP
server groups by name. Each server group is specific to one type of server.

Guidelines

You can have up to 100 LDAP server groups in single mode or 4 LDAP server groups per context in
multiple mode.

Each group can have up to 16 LDAP servers in single mode or 4 LDAP servers in multiple mode.

Cisco ASA Series General Operations CLI Configuration Guide

36-7

Chapter 36

Configuring LDAP Servers for AAA

Configuring LDAP Servers

When a user logs in, the LDAP servers are accessed one at a time, starting with the first server that
you specify in the configuration, until a server responds. If all servers in the group are unavailable,
the ASA tries the local database if you configured it as a fallback method (management
authentication and authorization only). If you do not have a fallback method, the ASA continues to
try the LDAP servers.

Detailed Steps
The following steps show how to create and configure an LDAP server group, and add an LDAP server
to that group.

Step 1

Command

Purpose

aaa-server server_tag protocol ldap

Identifies the server group name and the protocol. When

you enter the aaa-server protocol command, you enter
aaa-server group configuration mode.

Example:
ciscoasa(config)# aaa-server servergroup1
protocol ldap
ciscoasa(config-aaa-server-group)#

Step 2

max-failed-attempts number

Example:
ciscoasa(config-aaa-server-group)#
max-failed-attempts 2

Specifies the maximum number of requests sent to an

LDAP server in the group before trying the next server.
The number argument can range from 1 and 5. The
default is 3.
If you configured a fallback method using the local
database (for management access only) to configure the
fallback mechanism), and all the servers in the group fail
to respond, then the group is considered to be
unresponsive, and the fallback method is tried. The
server group remains marked as unresponsive for a
period of 10 minutes (by default), so that additional AAA
requests within that period do not attempt to contact the
server group, and the fallback method is used
immediately. To change the unresponsive period from the
default, see the reactivation-mode command in the next
step.
If you do not have a fallback method, the ASA continues
to retry the servers in the group.

Cisco ASA Series General Operations CLI Configuration Guide

36-8

Chapter 36

Configuring LDAP Servers for AAA

Configuring LDAP Servers

Step 3

Command

Purpose

reactivation-mode {depletion [deadtime minutes] |

timed}

Specifies the method (reactivation policy) by which

failed servers in a group are reactivated.
The depletion keyword reactivates failed servers only
after all of the servers in the group are inactive.

Example:
ciscoasa(config-aaa-server-group)#
reactivation-mode deadtime 20

The deadtime minutes keyword-argument pair specifies

the amount of time in minutes, between 0 and 1440, that
elapses between the disabling of the last server in the
group and the subsequent reenabling of all servers. The
default is 10 minutes.
The timed keyword reactivates failed servers after 30
seconds of down time.

Step 4

Identifies the LDAP server and AAA server group to

which it belongs.

aaa-server server_group [interface_name] host

server_ip

Example:
ciscoasa(config)# aaa-server servergroup1 outside
host 10.10.1.1
Move to new procedure for adding a server to a
grouyp

Table 36-2

When you enter the aaa-server host command, you enter

aaa-server host configuration mode. As needed, use host
configuration mode commands to further configure the
AAA server.
Table 36-2 lists the available commands for LDAP
servers, and whether or not a new LDAP server definition
has a default value for that command. If no default value
is provided (indicated by ), use the command to
specify the value.

Host Mode Commands and Defaults

Command

Default Value

Description

ldap-attribute-map

Separate steps in procedure under host command

ldap-base-dn

ldap-login-dn

ldap-login-password

ldap-naming-attribute

ldap-over-ssl

636

ldap-scope

sasl-mechanism

server-port

389

server-type

autodiscovery

timeout

10 seconds

If not set, the ASA uses sAMAccountName for LDAP requests. Whether
using SASL or plain text, you can secure communications between the ASA
and the LDAP server with SSL. If you do not configure SASL, we strongly
recommend that you secure LDAP communications with SSL.

If autodetection fails to determine the LDAP server type, and you know the
server is either a Microsoft, Sun or generic LDAP server, you can manually
configure the server type.

Cisco ASA Series General Operations CLI Configuration Guide

36-9

Chapter 36

Configuring LDAP Servers for AAA

Configuring LDAP Servers

Examples
The following example shows how to configure an LDAP server group named watchdogs and add an
LDAP server to the group. Because the example does not define a retry interval or the port that the LDAP
server listens to, the ASA uses the default values for these two server-specific parameters.
ciscoasa(config)# aaa-server watchdogs protocol ldap
ciscoasa(config-aaa-server-group)# aaa-server watchdogs host 192.168.3.4
ciscoasa(config-aaa-server-host)# exit
ciscoasa(config)#

Configuring Authorization with LDAP for VPN

When user LDAP authentication for VPN access has succeeded, the ASA queries the LDAP server,
which returns LDAP attributes. These attributes generally include authorization data that applies to the
VPN session. Using LDAP in this way accomplishes authentication and authorization in a single step.
There may be cases, however, where you require authorization from an LDAP directory server that is
separate and distinct from the authentication mechanism. For example, if you use an SDI or certificate
server for authentication, no authorization information is returned. For user authorizations in this case,
you can query an LDAP directory after successful authentication, accomplishing authentication and
authorization in two steps.
To set up VPN user authorization using LDAP, perform the following steps.

Detailed Steps

Step 1

Command

Purpose

tunnel-group groupname

Creates an IPsec remote access tunnel group named

remotegrp.

Example:
ciscoasa(config)# tunnel-group remotegrp

Step 2

tunnel-group groupname general-attributes

Associates the server group and the tunnel group.

Example:
ciscoasa(config)# tunnel-group remotegrp
general-attributes

Step 3

authorization-server-group group-tag

Assigns a new tunnel group to a previously created

AAA server group for authorization.

Example:
ciscoasa(config-general)# authorization-server-group
ldap_dir_1

Examples
While there are other authorization-related commands and options available for specific requirements,
the following example shows commands for enabling user authorization with LDAP. The example then
creates an IPsec remote access tunnel group named remote-1, and assigns that new tunnel group to the
previously created ldap_dir_1 AAA server group for authorization:
ciscoasa(config)# tunnel-group remote-1 type ipsec-ra

Cisco ASA Series General Operations CLI Configuration Guide

36-10

Chapter 36

Configuring LDAP Servers for AAA

Monitoring LDAP Servers

ciscoasa(config)# tunnel-group remote-1 general-attributes

ciscoasa(config-general)# authorization-server-group ldap_dir_1
ciscoasa(config-general)#

After you complete this configuration work, you can then configure additional LDAP authorization
parameters such as a directory password, a starting point for searching a directory, and the scope of a
directory search by entering the following commands:
ciscoasa(config)# aaa-server ldap_dir_1 protocol ldap
ciscoasa(config-aaa-server-group)# aaa-server ldap_dir_1 host 10.1.1.4
ciscoasa(config-aaa-server-host)# ldap-login-dn obscurepassword
ciscoasa(config-aaa-server-host)# ldap-base-dn starthere
ciscoasa(config-aaa-server-host)# ldap-scope subtree
ciscoasa(config-aaa-server-host)#

Monitoring LDAP Servers

To monitor LDAP servers,enter one of the following commands:
Command

Purpose

show aaa-server

Shows the configured AAA server statistics.

To clear the AAA server configuration, enter the clear aaa-server
statistics command.

show running-config aaa-server

Shows the AAA server running configuration.

To clear AAA server statistics, enter the clear configure aaa-server
command.

Cisco ASA Series General Operations CLI Configuration Guide

36-11

Chapter 36

Configuring LDAP Servers for AAA

Feature History for LDAP Servers

Feature History for LDAP Servers

Table 36-3 lists each feature change and the platform release in which it was implemented.
Table 36-3

Feature History for AAA Servers

Feature Name

Platform
Releases

LDAP Servers for AAA

7.0(1)

Feature Information
LDAP Servers describe support for AAA and how to
configure LDAP servers.
We introduced the following commands:
username, aaa authorization exec authentication-server,
aaa authentication console LOCAL, aaa authorization
exec LOCAL, service-type, ldap attribute-map,
aaa-server protocol, aaa authentication {telnet | ssh |
serial} console LOCAL, aaa authentication http console
LOCAL, aaa authentication enable console LOCAL,
max-failed-attempts, reactivation-mode,
accounting-mode simultaneous, aaa-server host,
authorization-server-group, tunnel-group, tunnel-group
general-attributes, map-name, map-value,
ldap-attribute-map.

Cisco ASA Series General Operations CLI Configuration Guide

36-12